Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in toeverything AFFiNE up to 0.24.1. This vulnerability affects unknown code of the component Avatar Upload Image Endpoint. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Stored cross-site scripting (XSS) in AFFiNE up to version 0.24.1 allows authenticated users to inject malicious scripts via the Avatar Upload Image endpoint, which are executed in the browsers of other users viewing the attacker's profile. The vulnerability requires user interaction (victim must view the malicious avatar) and authenticated access, resulting in limited but confirmed integrity impact. Public exploit code exists; vendor contact attempts yielded no response.
Technical ContextAI
The vulnerability resides in AFFiNE's Avatar Upload Image endpoint, a component that processes user-supplied avatar image data. The root cause is improper input validation or output encoding (CWE-79: Improper Neutralization of Input During Web Page Generation), allowing attacker-controlled data to be stored and later rendered without sanitization in web browsers. This is a stored XSS variant rather than reflected XSS, meaning the malicious payload persists in the application's database and affects multiple victims when they load the attacker's profile or avatar display. The attack vector is network-based but requires prior authentication and user interaction from victims.
Affected ProductsAI
AFFiNE versions up to and including 0.24.1 are affected. The vulnerability specifically impacts the Avatar Upload Image endpoint component. CPE data not provided in available references; affected versions inferred from CVE description range.
RemediationAI
Upgrade AFFiNE to version 0.25.0 or later, which should include sanitization of avatar image uploads. In the interim, implement strict Content Security Policy (CSP) headers to restrict script execution and mitigate XSS impact - specifically, set script-src to 'self' and avoid 'unsafe-inline'. Additionally, perform input validation on avatar uploads at the application layer to reject or sanitize embedded HTML/JavaScript, and consider storing avatars with proper MIME-type enforcement (image-only). If immediate patching is unavailable, restrict avatar upload functionality or disable the feature until a vendor update is released. Note that CSP mitigation does not eliminate the vulnerability but reduces exploitability.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today